OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Dittrich (dittrichcac.washington.edu)
Date: Fri Nov 09 2001 - 15:03:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Errata.

    It was pointed out to me that I forgot to include the README in
    Appendix B. I also left out one other comment as well.

    > The most recent version of this file can be found at:
    >
    > http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

    The missing pieces are:

     . . .

    (Re: Scanning)

    [NOTE: You are not necessarily vulnerable just because the banner
    shows a version string that is listed as "affected". If the patches
    listed in the RAZOR advisory, e.g., are applied, or if you eliminate
    v1 and use v2 of the protocol exclusively, the server will not be
    vulnerable.]

     . . .

    Appendix B
    ==========

    The following is a README file that is accompanying one version
    of the SSH crc32 exploit: 

    ---

    sh exploit demystified: info supplied by XXXXXXXXXXXXXXXXXXXXXXXXXXXX
1. rename the exploit to filename: ssh
2. type:export blah=loser
3. Once u figured out the syntax, this is how the exploit works

    First stage is the brute force, if it quits while brute forcing and says
stack not found means the ssh is not vunerable
Note:This takes ages, if it brute forces for anything more than 45min >
i suggest you cancel it
Second stage:
If brute force is successful it will mvoe on to the second stage
it will try some values

    if the exploit shows this:
and freezes on the dots, it means your in business

    exploiting...

    DO NOT CLOSE THE EXPLOIT
Instead open another term and telnet to the hosts port 12345 for a
bindshell remeber to append commands with ; eg: ls;

    If it tries all the values and fails, then u're outta business and it
should drop u back to shell

    EOF
p.s:from my experience i have found the openssh 1.5 to be utter shit in
exploiting, the ssh 1.2.6-1.2.30 has a higher chance of success rate
Last words:This exploit only works maybe 2/10 times so be patient.

    ---

    --
Dave Dittrich                           Computing & Communications
dittrichcac.washington.edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

    PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com